containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #25244 from giuseppe/mount-fix-segfault 

images: fix segfault when mounting without cap_sys_admin
This commit is contained in:
openshift-merge-bot[bot] 2025-02-07 15:30:59 +00:00 committed by GitHub
parent 708b34993d 2f710723df
commit 24b686e70c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 29 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
pkg/domain/infra/abi/containers.go
View File

@ -35,6 +35,7 @@ import (
"github.com/containers/podman/v5/pkg/specgenutil"
"github.com/containers/podman/v5/pkg/util"
"github.com/containers/storage"
"github.com/containers/storage/pkg/unshare"
"github.com/containers/storage/types"
"github.com/hashicorp/go-multierror"
"github.com/sirupsen/logrus"
@ -1361,7 +1362,11 @@ func (ic *ContainerEngine) ContainerInit(ctx context.Context, namesOrIds []strin
}
func (ic *ContainerEngine) ContainerMount(ctx context.Context, nameOrIDs []string, options entities.ContainerMountOptions) ([]*entities.ContainerMountReport, error) {
if os.Geteuid() != 0 {
hasCapSysAdmin, err := unshare.HasCapSysAdmin()
if err != nil {
return nil, err
}
if os.Geteuid() != 0 || !hasCapSysAdmin {
if driver := ic.Libpod.StorageConfig().GraphDriverName; driver != "vfs" {
// Do not allow to mount a graphdriver that is not vfs if we are creating the userns as part
// of the mount command.

39
pkg/domain/infra/abi/images.go
View File

@ -38,6 +38,7 @@ import (
"github.com/containers/podman/v5/pkg/errorhandling"
"github.com/containers/podman/v5/pkg/rootless"
"github.com/containers/storage"
"github.com/containers/storage/pkg/unshare"
"github.com/containers/storage/types"
"github.com/opencontainers/go-digest"
imgspecv1 "github.com/opencontainers/image-spec/specs-go/v1"
@ -157,6 +158,28 @@ func (ir *ImageEngine) Mount(ctx context.Context, nameOrIDs []string, opts entit
listMountsOnly := false
var images []*libimage.Image
var err error
hasCapSysAdmin, err := unshare.HasCapSysAdmin()
if err != nil {
return nil, err
}
if os.Geteuid() != 0 || !hasCapSysAdmin {
if driver := ir.Libpod.StorageConfig().GraphDriverName; driver != "vfs" {
// Do not allow to mount a graphdriver that is not vfs if we are creating the userns as part
// of the mount command.
return nil, fmt.Errorf("cannot mount using driver %s in rootless mode", driver)
}
became, ret, err := rootless.BecomeRootInUserNS("")
if err != nil {
return nil, err
}
if became {
os.Exit(ret)
}
}
switch {
case opts.All && len(nameOrIDs) > 0:
return nil, errors.New("cannot mix --all with images")
@ -178,22 +201,6 @@ func (ir *ImageEngine) Mount(ctx context.Context, nameOrIDs []string, opts entit
}
}
if os.Geteuid() != 0 {
if driver := ir.Libpod.StorageConfig().GraphDriverName; driver != "vfs" {
// Do not allow to mount a graphdriver that is not vfs if we are creating the userns as part
// of the mount command.
return nil, fmt.Errorf("cannot mount using driver %s in rootless mode", driver)
}
became, ret, err := rootless.BecomeRootInUserNS("")
if err != nil {
return nil, err
}
if became {
os.Exit(ret)
}
}
mountReports := []*entities.ImageMountReport{}
for _, i := range images {
var mountPoint string